From owner-freebsd-security@freebsd.org  Tue Dec 18 08:21:39 2018
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id D6B08134543D;
 Tue, 18 Dec 2018 08:21:38 +0000 (UTC)
 (envelope-from koobs.freebsd@gmail.com)
Received: from mail-pf1-x42f.google.com (mail-pf1-x42f.google.com
 [IPv6:2607:f8b0:4864:20::42f])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 5989F85C8F;
 Tue, 18 Dec 2018 08:21:38 +0000 (UTC)
 (envelope-from koobs.freebsd@gmail.com)
Received: by mail-pf1-x42f.google.com with SMTP id g62so7754241pfd.12;
 Tue, 18 Dec 2018 00:21:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=sender:reply-to:subject:to:cc:references:from:message-id:date
 :user-agent:mime-version:in-reply-to:content-language
 :content-transfer-encoding;
 bh=dpndl5ctl3UPh3v3NI9kbfjXjmOOn2hrH1D3kpK8M4M=;
 b=IDj1cvu4gbgECOy7Nz2BfnNE+sOgHBKJ8HMdNE5+Xq8tSv9K1cC8iaACc+F/e6qD12
 ViImineLNUqqcUIiZm5H8BVcFnci0eLzVMOUhfwZ6s4l9JX98ZuW3LTox/GaOG8/lQ3+
 WQGDNsh3HmVeICqS8oqEKcf4TdK8qWego0dkAHfrlItJKvB2hCT6JEh7PY9qSwlt1tsy
 4esTkzQphhI66ww2I77sGQNpuPyPSSJM4JoE1vOXRr84Bo0BbZr36tGuYWvdJa/NLJz3
 2FNTrsKAUhjFxbzJy+Kx1IPfY3Wmz+LtGIvMIKom7dWsYCv59o9u3P7VUZ9d08r3aUiv
 Tg3Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:sender:reply-to:subject:to:cc:references:from
 :message-id:date:user-agent:mime-version:in-reply-to
 :content-language:content-transfer-encoding;
 bh=dpndl5ctl3UPh3v3NI9kbfjXjmOOn2hrH1D3kpK8M4M=;
 b=smewKGoY93xdOOw25uKQ+HRBj/iifmpz8CUhjChPTOUplhP6x0CbXBvSfiAbC1r+lR
 78cx7sGxN1yeG9vh9CJzyTIWmK6ABGH4FJOHVkjop3DB0s6AN9sRQNizTfhhB33mCfLb
 TiIiBTmBk+vjbuBZedj+47z9wgLCF5q54lBitdss1kEhBSOoXZdeHfQP0h87Rvprv4u6
 AWzLninLq0AD0+tSPTHGNbh2E/bS3RCfhAmhQWVp5LUpVonj3Lw3c1owqjqoFtWuC1X4
 gve5lXtCEhTMX6TQOYRz6ey7Pv8RT7pmkDsygNQjqK2JHRIFEAePcOJ6aAs4WTZgR3zF
 3fIA==
X-Gm-Message-State: AA+aEWYs2HGh+EBtwDFm287/JMdeOpDOwEgTqoNJGZK05m5Yp/ke//Om
 FMqcA6jqV2WedErqNRr8/Sd0MPjC
X-Google-Smtp-Source: AFSGD/WJUoykJ0u+ntiJ8yNkNSGXGaUgxi4q3hNc6Yq1PFu8s9P3MTXicMCNxu5Z0ntUMul0LUWKIQ==
X-Received: by 2002:a62:2f06:: with SMTP id v6mr15980482pfv.216.1545121296947; 
 Tue, 18 Dec 2018 00:21:36 -0800 (PST)
Received: from [192.168.1.105] (119-18-15-55.cust.aussiebb.net. [119.18.15.55])
 by smtp.gmail.com with ESMTPSA id z13sm20286735pgf.84.2018.12.18.00.21.34
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Tue, 18 Dec 2018 00:21:36 -0800 (PST)
Sender: Kubilay Kocak <koobs.freebsd@gmail.com>
Reply-To: koobs@FreeBSD.org
Subject: Re: SQLite vulnerability
To: freebsd-security@freebsd.org
Cc: ports-secteam@FreeBSD.org, "secteam@freebsd.org" <secteam@freebsd.org>
References: <nycvar.OFS.7.76.444.1812160753280.5993@mx.roble.com>
 <20181217084435.GC4757@spindle.one-eyed-alien.net>
 <14b152b6-b994-2b1a-c1ac-0fc2f606149a@FreeBSD.org>
 <nycvar.OFS.7.76.444.1812170758000.59073@mx.roble.com>
From: Kubilay Kocak <koobs@FreeBSD.org>
Message-ID: <1594cbdb-46eb-a4cd-2e97-bc6164b2824e@FreeBSD.org>
Date: Tue, 18 Dec 2018 19:21:32 +1100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:64.0) Gecko/20100101
 Thunderbird/64.0
MIME-Version: 1.0
In-Reply-To: <nycvar.OFS.7.76.444.1812170758000.59073@mx.roble.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Rspamd-Queue-Id: 5989F85C8F
X-Spamd-Bar: ------
Authentication-Results: mx1.freebsd.org
X-Spamd-Result: default: False [-6.99 / 15.00];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 NEURAL_HAM_SHORT(-0.99)[-0.991,0]; REPLY(-4.00)[];
 TAGGED_FROM(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Dec 2018 08:21:39 -0000

On 18/12/2018 3:06 am, Roger Marquis wrote:
> On Mon, 17 Dec 2018, Kubilay Kocak wrote:
>> Pretty close :)
>> Original source/announcement:
>> https://www.tenable.com/blog/magellan-remote-code-execution-vulnerability-in-sqlite-disclosed 
>> [December 14th, 2018]
> 
> Not original though Tenable may have based their announcement on:
> 
>    
> https://meterpreter.org/sqlite-remote-code-execution-vulnerability-alert/
>    [December 11th, 2014]
> 
>> I've already re-opened Issue #233712 [1], which was our 
>> databases/sqlite3 port update to 3.26.0 and requested a merge to 
>> quarterly.
> 
> Thank you Kubila and thanks to pavelivolkov@gmail.com who updated the 
> sqlite3
> port on December 4th.
> 
> Roger Marquis

Created a parent tracking bug linking the existing issues, and for any 
other issues to be linked:

SQLite: Remote code execution vulnerability (Magellan)
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=234112